Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Understand SD-WAN Sites and Devices


In Contrail Service Orchestration (CSO), there are two categories of SD-WAN devices: spoke devices and hub devices. These are explained in the sections below.

Spoke Devices

The CPE device at an enterprise customer’s branch site acts as a spoke device in the SD-WAN model. The device also acts as a gateway router, providing connectivity from the branch site to other sites in the tenant network and to the Internet. There are two types of spoke devices: on-premises spoke and cloud spoke.

On-Premises Spoke Devices

On–premises spoke devices can be either NFX Series devices or specific SRX Series devices, as shown in Figure 1.

Figure 1: On-Premises Spoke Devices
On-Premises Spoke Devices

NFX Series Network Services Platform

The NFX Series Network Services Platform used as an on-premises spoke device differentiates from traditional CPE devices in that it can host a range of multivendor VNFs and support service chaining, managed by orchestration software in the cloud. NFX Series devices eliminate the operational complexities of deploying multiple physical network devices at a customer site.

A key VNF supported on the NFX Series platform is the vSRX Virtual Firewall. In the CSO SD–WAN solution, the vSRX instance performs the gateway router function, given its routing and switching capabilities. It also provides the same feature-rich security services found on a standard SRX series devices. Table 1 shows the supported NFX hardware models.


The NFX150 features a built–in SRX firewall in place of the vSRX functionality found on other NFX Series devices.

Table 1: NFX Series for On-Premises Spoke Devices


Models Supported

NFX150 Network Services Platform






NFX250 Network Services Platform




SRX Series Devices and vSRX Virtual Firewalls

A physical SRX device can be used in place of the NFX platform to provide the gateway router function, as can a vSRX instance installed on a server. Table 2 shows the supported SRX hardware and vSRX virtual firewalls

Table 2: SRX Series for On-Premises Spoke Devices


Models Supported

SRX Series









vSRX Virtual Firewalls

vSRX (standalone)

vSRX (installed in NFX250)

vSRX 3.0 (standalone)

Cloud Spoke Devices

A CSO SD–WAN cloud spoke device, in the form of a vSRX, can be located in an AWS virtual private cloud (VPC). The vSRX serves as a spoke device in the cloud; once the endpoint comes online, it acts like any other spoke device.

Spoke Redundancy

Two redundant CPE devices can be used at spoke sites to protect against device and link failures. For more detail, see the Resiliency and High Availability section of the CSO Design and Architecture Guide.

Provider Hub Devices

The CSO SD–WAN solution supports two deployment topologies: dynamic mesh and hub-and-spoke. In a dynamic mesh deployment, each site has a CPE device that connects to the other sites and the enterprise hub device. In a hub-and-spoke deployment, there is at least one provider hub device and one or more spoke devices.

The provider hub device terminates both MPLS/GRE and IPsec tunnels from spoke devices.

Provider Hubs

In a service provider (SP) environment, the service provider hosts a provider hub device in their network. The provider hub device acts as a point of presence (POP) or connection point. It is typically a shared device, providing hub functionality to multiple customers (tenants) through the use of virtual routing and forwarding instances (VRF). The SP administrator and the OpCo administrator can both manage the provider hub device.

In CSOaaS, the SP administrator role is performed by Juniper Networks as the cspadmin user (or equivalent). The OpCo administrator role can be assigned to a user by the SP administrator, but the OpCo administrator does not have SP administrator privileges.

Figure 2 and Table 3 show the provider hub devices supported in a CSO SD-WAN environment.

Figure 2: SD-WAN Provider Hub Devices
SD-WAN Provider Hub Devices

Table 3: Provider Hub Devices


Supported Device Types

Provider Hub






vSRX 3.0

Provider Hub Redundancy

Two redundant provider hub devices can be used at one POP to protect against device and link failures, and to provide upstream multi-homing for spoke sites. For more detail, see the Resiliency and High Availability section of the CSO SD-WAN - Design and Architecture Guide.

Enterprise Hub Sites and Devices

A special type of spoke device, called an enterprise hub device, can be deployed as the CPE at an on-premises site. The spoke site that functions this way, must be configured as an enterprise hub site during site addition. Adding an enterprise hub site opens additional functionality for the site:

  • Can act as the anchor point for site–to–site communications on the customer’s network.

  • Can act as the central breakout node for the customer’s network.

  • Offers a specialized department called the data–center department.

  • Supports dynamic LAN segments with BGP and OSPF route imports, including default routes, from the LAN–side L3 device.

  • Allows for intent-based breakout profiles to create granular breakout behavior based on department, application, site, and so on.

In an enterprise environment, the enterprise hub is owned by the customer (tenant) and usually resides within an enterprise data center. Only the customer’s spoke sites can connect to the enterprise hub device. OpCo administrators and tenant administrators can manage the enterprise hub. Figure 3 and Table 4 show the enterprise hub devices supported in a CSO SD-WAN environment.

Figure 3: SD-WAN Enterprise Hub Devices
SD-WAN Enterprise Hub Devices

Table 4: Enterprise Hub Devices and Supported Software


Supported Device Types

Enterprise Hub






vSRX 3.0